CN116708003A - Malicious encryption traffic detection method - Google Patents
Malicious encryption traffic detection method Download PDFInfo
- Publication number
- CN116708003A CN116708003A CN202310863918.8A CN202310863918A CN116708003A CN 116708003 A CN116708003 A CN 116708003A CN 202310863918 A CN202310863918 A CN 202310863918A CN 116708003 A CN116708003 A CN 116708003A
- Authority
- CN
- China
- Prior art keywords
- data
- encrypted
- feature
- traffic
- encrypted traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title abstract description 22
- 238000012549 training Methods 0.000 claims abstract description 20
- 238000012360 testing method Methods 0.000 claims abstract description 17
- 238000003062 neural network model Methods 0.000 claims abstract description 10
- 238000012795 verification Methods 0.000 claims abstract description 10
- 230000002159 abnormal effect Effects 0.000 claims abstract description 9
- 238000012545 processing Methods 0.000 claims abstract description 7
- 239000000523 sample Substances 0.000 claims description 28
- 238000000034 method Methods 0.000 claims description 24
- 238000004140 cleaning Methods 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 5
- 230000009467 reduction Effects 0.000 claims description 5
- 238000013136 deep learning model Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 238000013501 data transformation Methods 0.000 claims description 3
- 230000002411 adverse Effects 0.000 abstract description 2
- 230000000694 effects Effects 0.000 abstract description 2
- 238000009394 selective breeding Methods 0.000 abstract description 2
- 238000013527 convolutional neural network Methods 0.000 description 13
- 238000004458 analytical method Methods 0.000 description 4
- 238000013528 artificial neural network Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000015654 memory Effects 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000007787 long-term memory Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000007637 random forest analysis Methods 0.000 description 2
- 230000000306 recurrent effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000002759 z-score normalization Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000000513 principal component analysis Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000011946 reduction process Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computational Linguistics (AREA)
- Biomedical Technology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of network security, and particularly relates to a malicious encrypted traffic detection method. Comprising the following steps: s1: collecting encrypted flow data; s2: processing the collected encrypted flow data, and converting the encrypted flow data into uniform scale; s3: calculating the information entropy of the encrypted flow data, and taking the information entropy as a characteristic vector of the encrypted flow; s4: taking the feature vector as a new data set, and dividing the data set into a training set, a testing set and a verification set; s5: and training, testing and verifying the neural network model by using the training set, the testing set and the verification set respectively, and using the trained neural network model for detecting abnormal flow. The model provided by the invention has better comprehensive performance in terms of detection index and stability when carrying out two-class or multi-class multi-dimensional data detection, can avoid the adverse effect of artificial selection parameters on a prediction result band, and has important significance on the security detection of the developed malicious encrypted traffic network.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a malicious encrypted traffic detection method.
Background
With the development of internet technology, encrypted traffic has been rapidly developed and applied, and has become the mainstream traffic in the internet. The purpose of using the encrypted traffic is to solve the problems of security and privacy of the network traffic, but in the practical application process, the encrypted traffic protects the data security and simultaneously greatly increases the risk of hiding malicious traffic. With the reduction of encryption technology threshold, attacker more easily hides malicious attempt through traffic encryption technology, brings difficulty to detection. Therefore, the malicious encryption traffic detection technology has important security significance.
In the encrypted traffic, because the data is encrypted, the traditional traffic analysis method based on the plaintext is difficult to directly apply, and meanwhile, the decryption analysis on the malicious encrypted traffic has the problems of difficult decryption of an encryption algorithm, high decryption cost and the like. Therefore, based on the above problems, a malicious encryption traffic detection method based on information Entropy (Shannon Entropy, H), convolutional neural network (Convolutional Neural Network, CNN) and Long-short-term memory network (Long-Short Term Memory, LSTM) algorithm is provided. And obtaining the encrypted flow characteristics by adopting an entropy function. The CNN-LSTM deep learning model is used for training and classification.
1. The existing Anderson et al collect millions of normal traffic and malicious traffic, analyze the difference of TLS flow, DNS flow and HTTP flow, input the characteristic vector of the encrypted traffic to be tested into a model, and judge whether the traffic is malicious or not according to a preset threshold. However, the study is based on flow data collected in the 5 minute window of the Windows XP system, and thus there may be bias in the model constructed using this dataset.
2. Existing Paul Prasse et al research on encrypted malware, focusing mainly on flow characteristics and domain name characteristics. A detection classifier of a long-short-term memory (LSTM) network is adopted and is compared with a random forest method. The results of the study show that LSTM based models are superior to random forest models. But the detection rate of the L model is not high.
3. The existing Pascanu et al propose a malware detection system with a 2-layer architecture, which adopts an Echo State Network (ESN) and a Recurrent Neural Network (RNN) to perform feature learning, and combines a logistic regression classifier to identify flow so as to realize malware detection. Research results show that the method can identify the malicious software. However, the false alarm rate of the method is high and reaches 10%.
With the continuous increase of encrypted traffic, the means for carrying out malicious attack through the encrypted traffic are more various, the threat of the faced encrypted malicious traffic is gradually increased, and the network security is more serious and complex. How to effectively detect malicious traffic in industrial internet encrypted traffic has become a problem to be solved.
Disclosure of Invention
The invention provides a malicious encrypted traffic detection method for effectively aiming at the threat of malicious encrypted traffic and improving the detection accuracy of the malicious encrypted traffic.
The invention adopts the following technical scheme: a malicious encrypted traffic detection method, comprising:
s1: collecting encrypted flow data;
s2: processing the collected encrypted flow data, and converting the encrypted flow data into uniform scale;
s3: calculating the information entropy of the encrypted flow data, and taking the information entropy as a characteristic vector of the encrypted flow;
s4: taking the feature vector as a new data set, and dividing the data set into a training set, a testing set and a verification set;
s5: and training, testing and verifying the neural network model by using the training set, the testing set and the verification set respectively, and using the trained neural network model for detecting abnormal flow.
In some embodiments, step S1 comprises: network communication traffic is collected through the traffic probe device, encrypted traffic data is obtained, and data packet capturing is performed by mirroring all traffic of one or more ports in the network to one port.
In some embodiments, step S2 comprises:
s21: data cleaning, re-examining and checking the encrypted flow data, deleting repeated information and correcting errors;
s22: reducing the dimension of data;
s23: and (5) data transformation, and performing normalization processing on the data.
In some embodiments, step S22 includes:
finding out a positive sample index;
finding out the negative sample data volume;
the random downsampling method is used for selecting the positive sample number which is the same as the negative sample number in the positive sample by means of randomly selecting values.
The newly obtained positive sample is combined with the original negative sample data to form new sample data.
In some embodiments, step S23 includes:
calculating the mean of all values of feature j:
Feature j is represented asWherein i represents the i-th value of feature j, ">Is the mean of feature j.
Calculated as standard deviation of feature j:
;
Z-Score normalization:
。
the characteristic j is the encrypted flow data characteristic after data cleaning and dimension reduction; feature j is represented asWherein i represents the ith value of feature j; />Is the mean value of feature j; />Standard deviation for feature j; />The value corresponding to the ith value of the feature j after normalization.
In some embodiments, step S3 comprises:
s31: dividing the encrypted traffic sequence data into a plurality of packets through a sliding window;
s32: calculating the information entropy of the data in each group;
s33: the information entropy of each group is combined, and the set of all the information entropy is used as a feature vector.
In some embodiments, step S32 includes:
for each packet S i Calculate its frequency distribution P i (S), i.e. at S i The probability of the occurrence of an element with a value s;
computing subsequences i Entropy value of (2) according to the formulaObtaining the subsequence S i Entropy of (2), denoted as H i 。
In some embodiments, the neural network model in S5 is: CNN-LSTM constructs deep learning model.
Compared with the prior art, the invention has the following beneficial effects:
(1) The information entropy is used for carrying out feature calculation, the features are used for forming a new data set, no priori knowledge or category labels are needed to be relied on, the method can be used for processing unrestricted data sets, and redundant features can be effectively reduced.
(2) The model provided by the invention has better comprehensive performance in terms of detection index and stability when used for detecting two-class or multi-class multidimensional data, can avoid the adverse effect of artificial selection parameters on a prediction result band, and has important significance for developing malicious encryption traffic network safety detection.
Drawings
FIG. 1 is a flow chart of a method for detecting malicious encrypted traffic;
FIG. 2 is a block diagram of a convolutional neural network;
FIG. 3 is a block diagram of the LSTM model;
fig. 4 is a flow chart of model testing and verification.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more clear, the technical solutions in the embodiments of the present invention will be clearly and completely described below, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments; all other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, a malicious encrypted traffic detection method includes the following steps:
s1: collecting encrypted traffic data:
network communication traffic is collected through traffic probes and other devices, encrypted traffic data is obtained, and data packet capturing can be performed by mirroring all traffic of one or more ports in the network to one port. Wherein the main types of malicious traffic include malware, tunnel traffic, SSL/TLS traffic, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and the like.
S2: and processing the collected encrypted flow data, and converting the encrypted flow data into uniform scale.
Data cleaning: and (3) rechecking and checking the data, deleting repeated information and correcting the existing errors. The method for deleting invalid values or error values in the data comprises the methods of whole column deletion, variable deletion, paired deletion and the like; the processing method of the missing value comprises mean value interpolation, high-dimensional mapping and the like.
Data dimension reduction: the data which has been cleaned may have too high a dimension, and more resources are consumed for training directly. Thus, a dimension reduction process is required. Common methods include principal component analysis, downsampling, feature subset selection, and the like. When carrying out the anomaly inspection in encrypting the flow data, the condition that normal flow is far greater than abnormal flow can be faced, need handle unbalanced data, adopts the mode of downsampling to handle in this patent, and the concrete mode is as follows:
(1) Find the positive sample index (x)
(2) Find the negative sample data Len (y)
(3) The positive sample number which is the same as the negative sample number Len (y) is selected by randomly selecting index (x) values among the positive samples using a random down-sampling method.
(4) Combining the newly obtained positive sample with the original negative sample data to form new sample data
And (3) data transformation: the data is normalized to facilitate subsequent information mining, and common methods include digitizing, centering, normalizing, and the like. The numeralization is the conversion of non-data information into data, such as network protocol information, and can be represented by simple numerical values. Centralisation is the operation of subtracting the mean or some specified value from the data. The standardization is to make a telescopic change on the sample data in different dimensions, without changing the geometric distance of the original data, remove the measurement between different characteristics, and keep the information (distribution) of the original sample data in each dimension.
Because the original encrypted data has a plurality of characteristics, and the measurement unit of each characteristic is different, the comparison and analysis of the data are affected, so that the data need to be converted into a uniform scale for better analysis. In the patent, the Z-score standardization is used for carrying out standardization treatment on the collected encrypted flow data, and the data is converted into standard normal distribution with the mean value of 0 and the standard deviation of 1. The specific implementation mode is as follows:
(1) Calculating the mean of all values of feature j;
(2) Calculated as standard deviation of feature j;
(3) Z-Score standardization implementation
The characteristic j is the encrypted flow data characteristic after data cleaning and dimension reduction; feature j is represented asWherein i represents the ith value of feature j; />Is the mean value of feature j; />Standard deviation for feature j; />The value corresponding to the ith value of the feature j after normalization.
The original data is processed through Z-score normalization, and the influence of unit and scale differences in the original data on data analysis is eliminated.
S3: and calculating the information entropy of the encrypted traffic data, and taking the information entropy as a characteristic vector of the encrypted traffic.
By calculating the entropy of the different packets in the encrypted traffic and combining other features (such as packet size, time interval of arrival, etc.), a classifier can be constructed that identifies the encrypted traffic. The encrypted traffic sequence data is divided into a plurality of packets through a sliding window, and then the information entropy of the data in each packet is calculated. The size of traffic packets should typically be small enough so that the randomness of the data within each packet remains consistent to some degree. Then, the information entropy of each group can be used as an element of the feature vector to obtain a group of feature values reflecting the complexity and regularity of the flow. For subsequent classification and identification.
The specific process is as follows:
(1) First the encrypted data sequence S is divided into a plurality of packets of size k, i.e,.../>。
(2) For each sub-sequence S i Calculate its frequency distribution P i (S), i.e. at S i In taking outThe probability of the occurrence of an element of value s.
Computing subsequences i Entropy value of (2) according to the formulaObtaining the subsequence S i Entropy of (2), denoted as H i 。
(3) Combining the information entropy of each group, wherein the set of all the information entropy is taken as a feature vector。
S4: the feature vector is taken as a new data set, and the data set is divided into a training set, a testing set and a verification set.
S5: and training, testing and verifying the neural network model by using the training set, the testing set and the verification set respectively, and using the trained neural network model for detecting abnormal flow.
Model detection was performed using Convolutional Neural Network (CNN), long-term memory network (LSTM).
And recombining the eigenvalue data, and dividing the data set into a training set, a testing set and a verification set. Training is carried out through a deep learning model formed by CNN-LSTM, and abnormal flow is detected.
As shown in fig. 4, (1) training set and validation set data is entered into the model, the data is first entered into the CNN network. CNN is a feed-forward neural network that includes a convolution layer with a depth structure, where the purpose of the convolution layer is to obtain a feature vector to represent the original data by convolving the convolution kernel with the target element. The space characteristics of abnormal traffic generated by different malicious attacks have a large degree of distinction, the space characteristics can be used for classifying malicious behaviors, the CNN can form a plurality of filters, and the space characteristics among data are extracted. At each instant, each convolution kernel data element performs feature extraction to form spatial features of the study data. Performing convolution operations multiple times forms the raw data into multiple spatial features.
Let the input data be x and the kernel of the layer convolution be k, then the convolution result s can be obtained through one output channel:
where i and j represent the positions of the convolution kernels, m and n represent the sizes of the convolution kernels,representing the value of row i+m, column j+n in the input data, +.>Representing the parameter values of the m-th row and n-th column in the convolution kernel.
(2) The result output by the CNN is input into the LSTM network. Because Convolutional Neural Networks (CNNs) are used to obtain spatial features, but are insensitive to timing features, and timing features in different malicious traffic have large differences, cyclic neural networks (Recurrent Neural Network, RNNs) are used to extract timing features from time series data, LSTM networks are an improved RNN method, and long-term and short-term dependencies can be trained, so LSTM networks are used for training.
The LSTM is similar to the RNN in structure, and is designed into a plurality of gate structures on the basis of the RNN, an input gate, a forgetting gate and an output gate are introduced, and the states are stored and updated by utilizing the combined action of the different gates, so that the long-term dependency information is acquired. The LSTM model structure is shown in fig. 3. LSTM forward propagation is defined as follows:
in the formula (i),、/>、/>respectively representing forgetting door, input door, output door,>、/>the weight matrix is represented by a matrix of weights,representing the bias vector +_>Representing the activation function of the gates +.>、/>Respectively represent a long-term memory state and a current state,、/>respectively representing the output state, the output state of the last unit, < ->Representing the current input +.>Representing a hyperbolic tangent activation function.
(3) Training malicious encrypted traffic through a CNN and LSTM cascade detection model, and carrying the trained pre-training model into a test set to test, thereby detecting abnormal data. Through testing, the method is better in stability, the problems of high dimensionality, nonlinearity and the like of a large number of parameters can be solved, the main characteristics of input variables are ensured not to be forgotten along with time, abnormal events can be accurately detected, malicious encrypted traffic can be effectively found, and the event discovery capability of the malicious encrypted traffic is improved.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (8)
1. A method for detecting malicious encrypted traffic, comprising:
s1: collecting encrypted flow data;
s2: processing the collected encrypted flow data, and converting the encrypted flow data into uniform scale;
s3: calculating the information entropy of the encrypted flow data, and taking the information entropy as a characteristic vector of the encrypted flow;
s4: taking the feature vector as a new data set, and dividing the data set into a training set, a testing set and a verification set;
s5: and training, testing and verifying the neural network model by using the training set, the testing set and the verification set respectively, and using the trained neural network model for detecting abnormal flow.
2. The method for detecting malicious encrypted traffic according to claim 1, wherein said step S1 comprises: network communication traffic is collected through the traffic probe device, encrypted traffic data is obtained, and data packet capturing is performed by mirroring all traffic of one or more ports in the network to one port.
3. The method for detecting malicious encrypted traffic according to claim 1, wherein said step S2 comprises:
s21: data cleaning, re-examining and checking the encrypted flow data, deleting repeated information and correcting errors;
s22: reducing the dimension of data;
s23: and (5) data transformation, and performing normalization processing on the data.
4. The method for detecting malicious encrypted traffic according to claim 3, wherein said step S22 comprises:
finding out a positive sample index;
finding out the negative sample data volume;
the random downsampling method is used for selecting the positive sample number which is the same as the negative sample number in the positive sample by means of randomly selecting values.
The newly obtained positive sample is combined with the original negative sample data to form new sample data.
5. The method for detecting malicious encrypted traffic according to claim 3, wherein,
the step S23 includes:
calculating the mean of all values of feature j:
;
Calculated as standard deviation of feature j:
;
Z-Score standardization implementation:
the characteristic j is the encrypted flow data characteristic after data cleaning and dimension reduction; feature j is represented asWherein i represents the ith value of feature j; />Is the mean value of feature j; />Standard deviation for feature j; />The value corresponding to the ith value of the feature j after normalization.
6. The method for detecting malicious encrypted traffic according to claim 1, wherein said step S3 comprises:
s31: dividing the encrypted traffic sequence data into a plurality of packets through a sliding window;
s32: calculating the information entropy of the data in each group;
s33: the information entropy of each group is combined, and the set of all the information entropy is used as a feature vector.
7. The method for detecting malicious encrypted traffic according to claim 6, wherein said step S32 comprises:
for each packet S i Calculate its frequency distribution P i (S), i.e. at S i The probability of the occurrence of an element with a value s;
computing subsequences i Entropy value of (2) according to the formulaObtaining the subsequence S i Entropy of (2), denoted as H i 。
8. The method for detecting malicious encrypted traffic according to claim 1, wherein the neural network model in S5 is: CNN-LSTM constructs deep learning model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310863918.8A CN116708003A (en) | 2023-07-14 | 2023-07-14 | Malicious encryption traffic detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310863918.8A CN116708003A (en) | 2023-07-14 | 2023-07-14 | Malicious encryption traffic detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116708003A true CN116708003A (en) | 2023-09-05 |
Family
ID=87835914
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310863918.8A Pending CN116708003A (en) | 2023-07-14 | 2023-07-14 | Malicious encryption traffic detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116708003A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117579397A (en) * | 2024-01-16 | 2024-02-20 | 杭州海康威视数字技术股份有限公司 | Internet of things privacy leakage detection method and device based on small sample ensemble learning |
-
2023
- 2023-07-14 CN CN202310863918.8A patent/CN116708003A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117579397A (en) * | 2024-01-16 | 2024-02-20 | 杭州海康威视数字技术股份有限公司 | Internet of things privacy leakage detection method and device based on small sample ensemble learning |
| CN117579397B (en) * | 2024-01-16 | 2024-03-26 | 杭州海康威视数字技术股份有限公司 | Internet of things privacy leakage detection method and device based on small sample ensemble learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11847215B2 (en) | Model development and application to identify and halt malware | |
| Koroniotis et al. | A new network forensic framework based on deep learning for Internet of Things networks: A particle deep framework | |
| CN112822206B (en) | Network cooperative attack behavior prediction method and device and electronic equipment | |
| CN112910859B (en) | Internet of things equipment monitoring and early warning method based on C5.0 decision tree and time sequence analysis | |
| Thiruloga et al. | TENET: Temporal CNN with attention for anomaly detection in automotive cyber-physical systems | |
| Torres et al. | Active learning approach to label network traffic datasets | |
| CN116708003A (en) | Malicious encryption traffic detection method | |
| Thapar et al. | Transca: Cross-family profiled side-channel attacks using transfer learning on deep neural networks | |
| CN114330487A (en) | Wireless network security situation assessment method based on BIPMU | |
| CN113660196A (en) | Network traffic intrusion detection method and device based on deep learning | |
| Muslihi et al. | Detecting SQL injection on web application using deep learning techniques: a systematic literature review | |
| Zhang et al. | Ace–an anomaly contribution explainer for cyber-security applications | |
| Kumar et al. | A semantic machine learning algorithm for cyber threat detection and monitoring security | |
| Chen et al. | An efficient network intrusion detection model based on temporal convolutional networks | |
| US11665185B2 (en) | Method and apparatus to detect scripted network traffic | |
| Karatas et al. | A deep learning based intrusion detection system on GPUs | |
| CN109768995B (en) | Network flow abnormity detection method based on cyclic prediction and learning | |
| Xue | Research on network security intrusion detection with an extreme learning machine algorithm | |
| Alabugin et al. | Applying of recurrent neural networks for industrial processes anomaly detection | |
| Banadaki et al. | Design of intrusion detection systems on the internet of things infrastructure using machine learning algorithms | |
| Shah et al. | Group feature selection via structural sparse logistic regression for ids | |
| Jose et al. | Prediction of Network Attacks Using Supervised Machine Learning Algorithm | |
| Kershaw et al. | Anomaly-based network intrusion detection using outlier subspace analysis: A case study | |
| Woolman | Network intrusion detection using deep learning and machine learning for multinomial classification. | |
| Masakuna et al. | Calibrated Uncertainty Quantification on Auto-Encoders for Anomaly Detection with Standard Deviation as Metric |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |